(I posted this as a bug in GitHub (https://github.com/rails/rails/issues/7018), but then someone there told me I should post it here, so here it is.)
If you set attr_accessible on some properties in an ActiveRecord-descended class, and then attr_protected on others - the class becomes 'default-open' - if any properties are missed or added later, they will be accessible by default to MassAssignment. This undoes the entire point of having put attr_accessible in one's class. Two possible solutions - #1) 'default-closed' - the attr_protected statements will either be ignored, or just used to override attr_accessiblefor a particular property. #2) 'explicit-only' - any attribute accessed in mass-assignment that is not explicitly mentioned in eitherattr_accessible or attr_protected raises a new error - something like MassAssignmentError:AttributeNotExplicitlyDeclared. Maybe even throw an error if the attribute is accessed in*any* way (mything.whatever="boo"; # kerplow! throws error?) though that might perform poorly. Solution #1 is probably fine - accesses to not attr_accessible properties will throw a MassAssignment error under these circumstances anyways. Solution #2 just makes things really explicit, which some might want for some kinds of high-security applications. I found this bug in my own code during the development cycle; I liked putting both attr_accessible andattr_protected in for symmetry and to remind me of my DB schema at the top. Stupid reason, I know. I found that a belongs_to relation was unprotected in that circumstance. -B. -- You received this message because you are subscribed to the Google Groups "Ruby on Rails: Core" group. To view this discussion on the web visit https://groups.google.com/d/msg/rubyonrails-core/-/cKUcUmVToewJ. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/rubyonrails-core?hl=en.
